In this ongoing arms race between security specialists and hackers, hackers are still finding new ways to get around our defenses. Attacks used by famous hackers10 of the World’s Most Famous Hackers & What Happened to Them10 of the World’s Most Famous Hackers & What Happened to ThemNot all hackers are bad. The good guys -- "white-hat hackers" -- use hacking to improve computer security. Meanwhile "black-hat hackers" are the ones who cause all the trouble, just like these guys.Read More in the past are used as starting points or even inspiration. Oftentimes, security specialists just can’t develop new defenses as quickly as hackers develop new attacks. With most of the computer users throughout the world rather ignorant when it comes to online safety, many often fall victim to attacks and don’t know how to avoid them.

While information regarding how to stay secure online is a little more mainstream these days, techniques past having a strong password and avoiding public networks are still unheard of by these users. People still use public kiosks to charge their smart phones without a second thought, and many reuse their passwords for each account they create online.

Security and anti-virus programs do provide a level of support, but not everything can be defended against yet. Hackers are getting sneakier and many of their techniques and attacks often go unnoticed by even experienced users. Here are 10 of the most insidious hacking techniques to avoid.

1. “Relative versus Absolute” Path Exploitation

Used primarily in legacy versions of Windows and other early operating systems, the “relative versus absolute” exploitation takes advantage of those operating systems’ tendencies to start searching first in the current folder or directory when locating a file or application. Rather than spending time searching for files, a Windows user could simply open Windows Explorer, type in the file name, and then press enter.

This video explains the difference between relative and absolute paths:

Because these older operating systems first search the current directory for the file, this can easily be exploited. Already present malware could create another, fake program of the same name and copy it to your current directory. The faux-program would run instead, potentially opening your system up to even more damage.

How can I protect myself?

This is a fairly old technique, so it won’t be as much of a problem for most computer users. However, for those who are using legacy versions of Windows or other early operating systems, avoid searching via the Windows Explorer. It may be more time consuming, but finding the file or application on your own in the directory you know it’s located in is the best way to protect yourself.

2. Hidden File Extensions in Windows

Windows and a few other operating systems have a problem — when a file is created with two extensions, by default only the first will be displayed. A file named FemaleCelebrityWithoutMakeup.jpeg.exe would be displayed as FemaleCelebrityWithoutMakeup.jpeg instead, deceiving anyone unaware of the true nature of the file. This setting is the default on Windows operating systems.

It is important to note that .exe is not the only potentially dangerous extension. If you run Java, for example, the .jar extension can be dangerous as it triggers the execution of Java programs. Other extensions that should set off red flags are .bat, .cmd, .com, and .sbr, among many others. These programs can be used to steal information off your computer, use your computer as a way to infect others, or even just delete your data completely. Many anti-malware programs can have difficulty with such file types, meaning that the best defense against them is to simply turn off the default setting so the full file name and file type are displayed.

A quick Google search brings up page after page of tips, techniques, and tutorials to create phony files with multiple file extensions. Some are advertised as a way to harmlessly prank a friend, however they could easily be used for more nefarious acts.

How can I protect myself?

Despite this being a default setting for Windows, it can be changed. After that, it’s just a matter of keeping an eye on extension names and knowing which may contain something dangerous.

3. USB Malware

In August 2014, research Karsten Nohl demonstrated the vulnerability of USB flash memory sticks at a Black Hat conference to a crowded room. The attack he used was called BadUSBYour USB Devices Aren't Safe Anymore, Thanks To BadUSBYour USB Devices Aren't Safe Anymore, Thanks To BadUSBRead More. The vast majority of USB sticks aren’t nearly as secure as many assume, and Nohl’s demonstration proved that any USB device can be corrupted silently with malware. Clearly, this is a huge vulnerability which has no simple patch. Despite Nohl’s attempts to keep the code from being released to the public, two other researchers by the names of Adam Caudill and Brandon Wilson reverse-engineered the firmware and reproduced some of the malicious qualities of BadUSB just a few months later.

They then uploaded the code to GitHub, making the software readily available for anyone who desires to use it. The goal was to encourage USB manufacturers to address this vulnerability, or face the wrath of millions of defenseless users.

How can I protect myself?

Because anti-virus programs do not scan the actual firmware of the device (what makes the USB devices work as they should) but rather written memory instead, these threats cannot be detected. When plugged into a computer, an infected USB device can track keystrokes, steal information, and even destroy data vital to the computer’s functioning. Act on this by ensuring devices are scanned before they’re connected to your computer, and insist upon your contacts taking the same steps.

4. Internet of Things Attacks

If it’s connected to the Internet and has an IP address, then it can be hacked. You can protect your computer and smartphone from some malicious attacks using security software, but how can you protect your smart home devices? What about hospitals that rely on the Internet of Things to manage defibrillators or devices that track vital signs?

Summer Wars, directed by Mamoru Hosoda, follows a devastating attack by artificial intelligence targeting a global network very similar to the Internet of Things. Transportation is crippled, traffic congestion hinders emergency services, and an elderly woman dies due to the attack deactivating her heart monitor.

For smart devices, strong passwords are a must. Hard-wiring the devices directly to the Internet rather than relying on WiFi also adds an extra layer of security.

5. Fake Wireless Access Points

Fake wireless access points (WAPs) can be set up by hackers with relative ease, using only a wireless network card and a bit of software. Perhaps one of the easiest hacks in the trade, it relies on users’ needs for WiFi in airports, coffee shops, and cafes. All that is required is passing a hacker’s computer off as a legitimate WAP while simultaneously connecting to the real WAP. The phony WAPs are often named innocuously, like John Wayne Airport Free Wireless or Starbucks Wireless Network, and will often require an account is created first in order to use the connection.

Without questioning it, users tend to input commonly used email addresses, usernames, and passwords, and once connected many send secure information, such as passwords and banking data. From there, it’s only a matter of time until the hacker begins trying that information out on Facebook, Amazon, or iTunes.

6. Cookie Theft

Cookies are little bits of data in the form of text files used by websites to identify you while browsing their site. These cookies can track you during a single visit, or even across multiple visits. When a cookie is identified by the website, it may preserve your log-in status. While this is convenient for frequent visitors to websites, it’s also convenient for hackers.

Despite cookie theft existing since the beginning of the Internet, browser add-ons and software have made it much easier for hackers to steal cookies from unknowing users. Cookie theft may also be used in conjunction with a fake WAP in order for hackers to glean as much information and data as they possibly can. In fact, a hacker could easily take over the session, using your cookies as his or her own. Even encrypted cookies aren’t immune from these attacks.

Meanwhile, if you’re a webmaster and your site’s encryption protection hasn’t been updated in a few years, your users could be at risk from cookie theft.

7. Google Glass Hacks

Google Glass, developed by Google, is a wearable technology that makes use of optical head-mounted display technology. Already the subject of concern from many privacy advocates, the possibility of Google Glass being hacked by cyber criminals futher calls the device’s security into question.

When Google Glass is hacked, cyber-criminals are able to see anything you see. If you’re on your phone and typing in your bank or email password, hackers will see it too. The idea that Google Glass could be hacked is unheard of by many; in fact, it is far more common for concerns to only mention users wearing Google Glass to record the conversations of others or see others typing in passwords.

With more businesses banning Google Glass on their premises, users of the device are often shunned, or refused entry to businesses until the devices are removed. However, the possibility of Google Glass being hacked by cyber criminals who can literally see through your eyes still remains, and the risk may only continue to grow as more apps are developed and usage becomes more widespread. Currently physical access to the device is required in order to hack it, although that is less difficult than many would think.

How can I protect myself?

The best thing you can do to protect yourself is avoid letting someone else handle your Google Glass, and refrain from wearing it while handling personal information.

8. Government-Sp0nsored Malware

Yes, governments are creating malware, and it’s not just China or Russia. When Edward Snowden leaked NSA documentsWhat Is PRISM? Everything You Need to KnowWhat Is PRISM? Everything You Need to KnowThe National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the...Read More last year, he revealed the existence of two NSA-sponsored operations — codenamed MYSTIC and SOMALGET, these operations hijacking the mobile networks of several countries. Metadata on every call made to and from these countries is collected, while Afghanistan and the Bahamas are among the territories where phone call audio is recorded and stored.

In 2011, numerous systems belonging to both the European Commission and the European Council were found to have been hacked using a zero day exploit. Two years later, another attack occurred targeting Belgacom, a partially state-owned Belgian mobile network. Five months later, there was another high-profile attack, this time targeting prominent Belgian cryptographer Jean-Jacques Quisquater. Finally, in 2014, the spy tool used in all three attacks was identified and dubbed “Regin” by Microsoft. Furthermore, other leaked documents dating 2010 reveal a NSA-sponsored operation that targeted the EU commission and council. Other documents revealed the existence of malware used by the NSA to target over 50,000 computer networks.

ISIS has also been reported to use malware to target citizen Syrian journalists critical of the group and unmask their identities. With ISIS making an effort to attract hackers, many, including FBI director James Comey fear that the terrorist group is preparing to launch a cyber attack on the US.

Government-sponsored malware can be a little more difficult to protect yourself from. It isn’t unheard of for malware to be used to watch security cameras and collect footage in other countries. The best you can do is keep your computer and network protected and hope for the best.

It isn’t uncommon for the ad or site to be programmed to be benign when visited by the admin, typically delaying the time it takes to detect the issue and fix it.

Another method for bait-and-switch attacks involves the developer offering something free for millions of users, such as a page view counter to go at the bottom of a website which can be easily replaced by a malicious JavaScript redirect.

How can I protect myself?

While bait-and-switch attacks have been around for years, they are still incredibly difficult to defend against. Anything that you did not make yourself can be manipulated and used against you. But for people who can’t make such things themselves, their best option is to only seek out reputable companies when selling ad space or finding page view counters.

10. Social Engineering

We like to think that we’re strong-willed, that we couldn’t possibly be manipulated for information. We’re too smart for that, we tell ourselves. Nothing can get past us, we insist.

Social engineeringWhat Is Social Engineering? [MakeUseOf Explains]What Is Social Engineering? [MakeUseOf Explains]You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room - but how...Read More, from a security standpoint, is the act of manipulating and tricking people in order to harm or gain access to their information. Often, it’s used in conjunction with other types of exploits, even convincing people to ignore proper security procedures. Social engineering tactics can be used to convince people to download email attachments or click on strange links that show up in messages from our friends.

Scareware, which also relies on social engineering, appears as a Windows alert, often passing itself off as a registry cleaner or anti-malware software claiming threats or vulnerabilities have been detected in your system. Users who see this are prompted to install software to ‘fix’ this issue. However, there may be nothing wrong with your computer as is and some programs installed may even be downright devastating to your system.

Unlike the other techniques in this list, social engineering cannot be defended against. IT professionals and tech support staff are especially becoming targets of social engineering. Sure, you can try to be as professional and adamant as you’d like, but the thought of being the jerk who wouldn’t let a confused or even hysterical user back into their account is enough to break even the strongest of wills. DefCon, an annual hacking conference held in Las Vegas, frequently holds tournaments to demonstrate how much information can be gleaned from a bit of social engineering.

In a way, this is perhaps the most insidious attack because it plays on one of our most human traits – our capacity for sympathy.

How can I protect myself?

Unfortunately, trying to defend yourself against social engineering can be downright impossible, as many cannot stand the idea of not being able to provide assistance. It isn’t difficult to manipulate people into giving information, either. While it may be uncomfortable, the safest form of action is to follow protocol and avoid giving out any personal information about yourself or your company until you are sure that the person you’re speaking to is really who they claim to be.

How Else Can I Stay Safe?

Common ways to keep yourself safe are to simply not allow pop-ups, use secure passwords, avoid public WiFi, and install a good anti-malware program that performs frequent scans. But these won’t keep you safe from everything. My younger sister recently encountered scareware in the form of a Windows registry errorHow to Fix Windows Registry Errors & When Not to BotherHow to Fix Windows Registry Errors & When Not to BotherIn most cases, fixing our registry will do nothing. Sometimes registry errors cause havoc after all. Here we'll explore how to identify, isolate and fix registry problems – and when to not bother at all.Read More and was prompted to install a program promising to clear it up. Fortunately, she did her research before installing anything.

The best thing you can do to keep your information secure from hackers is to simply do your research and stay alert. Try to be up to date on the latest program vulnerabilities or malware floating around the Internet. As Mad-Eye Moody once said, “constant vigilance” is the key. It certainly won’t guarantee your protection from any sort of attack, but it will make a world of difference. If you believe your computer has been hackedWhat To Do If You Think Your Computer Has Been Hacked IntoWhat To Do If You Think Your Computer Has Been Hacked IntoHave you ever had your computer hacked, or wondered if some off mouse movement was down to an online intruder? The threat remains a potent one, but with adequate security software installed on your computer...Read More, Christian Cawley has covered what to do in such a situation, such as running anti-malware software, checking your firewall, and how to protect yourself from offline hacking.

Are you a penetration tester who has used these techniques in the past? Have you ever been hacked in this way? Leave me a comment below and tell me your story!

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Anonymous

September 9, 2015 at 5:35 pm

USB Malware - Article says antivirus programs don't scan firmware -- only written memory. So antivirus programs won't work. And yet, the advice given is to scan USB's before connecting them into our computers.

1. How on earth do you scan an USB drive before connecting to your computer? Use a friend's computer as victim instead??

2. Even if you accomplished #1, antivirus programs are ineffective, correct?

Even I missed something, or Taylor needs to think through her "solution" more?

OK, but the risk for a normal user is practically not present, so no need to worry. Windows 10 is a good example. Automatic updates and Windows Defender always working and updated. You do not need much more - maybe just a little bit of common sense.